Standard

Exception Process

Exception Process and Compliance

Updated 6/11/14

Anyone not in compliance with an Information Security Standard is subject to sanctions including suspension of computer and network privileges and/or the full range of current Institute personnel and student disciplinary processes.

In a small number of circumstances, it may not be possible to comply with an Information Security Standard.   The Information Security Office has provided the following method for obtaining an exception to compliance with a published information security standard.  Exceptions should be approved and signed by the appropriate Information Trustee (VP, Dean, or CIO).  (An email endorsing the exception request is acceptable.)

An exception MAY be granted by the RIT Information Security Office for non‑compliance with a standard resulting from:

  • Implementation of a solution with equivalent protection.
  • Implementation of a solution with superior protection.
  • Impending retirement of a legacy system.
  • Inability to implement the standard due to some limitation

 

Exceptions are granted for a specific period of time, not to exceed two years and are reviewed on a case-by-case basis and their approval is not automatic.

The Exception Request should include:

  • Description of the non-compliance
  • Anticipated length of non-compliance
  • Proposed assessment of risk associated with non-compliance
  • Proposed plan for managing the risk associated with non-compliance
  • Proposed metrics for evaluating the success of risk management (if risk is significant)
  • Proposed review date to evaluate progress toward compliance
  • Endorsement of the request by the appropriate Information Trustee (VP, Dean, or CIO).

 

If the non-compliance is due to a superior solution, an exception will normally be granted until the published standard or procedure can be revised to include the new solution. An exception request should still be submitted.

 

Submit the Exception Request Form to the Information Security Office, infosec@rit.edu, ROS 10-A200.

Plain English Guide to the Information Security Policy

Plain English Guide to the Information Security Policy 

RIT has issued an Information Security Policy. The Policy provides the strategic direction needed to implement appropriate information safeguards for RIT information and the Institute network. This Plain English Guide provides explanation and illustration of the Policy and is provided as an aid to help you understand and implement the requirements of the Policy. The Policy itself is authoritative. The policy is effective immediately.

Why did RIT issue the policy?

The Policy authorizes RIT to take reasonable measures to protect RIT information and computing assets in an age that is both reliant on electronic media and characterized by increasing Internet-borne threats. These measures apply to RIT information and the technology infrastructure.

In recent years, state and federal legislation have mandated specific protections for different types of information, including educational records (FERPA), financial customer information (Gramm-Leach-Bliley Act), health information (HIPAA), and private information (NYS Information Security Breach and Notification Act).

Why is the information lifecycle important?

The information lifecycle concept and its associated stages (creation, storage, transfer, and destruction) provide a useful framework for information handling. For example, during the creation stage, the creator of the information determines who should have access to the information and how that access is to be granted. During the destruction stage, "out-of-date" information or information used only occasionally may be without appropriate protection and be at greater risk.

What are the roles of Safeguards and Controls?

Most of the legislation above requires affected organizations to explain how they know people don’t have unauthorized access to information. Controls provide the best way of ensuring information protection. Controls can be process based (administrative controls), or technology based (technical controls). Controls focus on one or more of the following: problem prevention, problem detection, or problem correction.

How has RIT implemented this policy?

RIT has implemented the Information Security Policy by conducting risk assessments, issuing and enforcing standards, raising awareness of threats, recognizing best practices, and maintaining relationships with a number of security-focused external entities for benchmarking and sharing of resources.

More specifically,

  • RIT has designated specific individuals, including the RIT Information Security Officer, to identify and assess the risks to non-public or business-critical information within the Institute and establish an Institute-wide information security plan
  • The RIT Information Security Office creates and maintains standards to protect RIT information systems and its supporting infrastructure, ensure workforce information security, and guide RIT business associates and outsource partners. The creation of these standards is mandated by policy and is in response to the risks that the Institute faces. They are Institute-wide standards, created with representation from across RIT. See our Policies and Standards page for the list of current standards and information about how standards are developed.
  • The RIT Information Security Office provides awareness and training workshops, including its Digital Self Defense classes to help RIT users in the responsible use of information, applications, information systems, networks, and computing devices.
  • The RIT Information Security Office encourages the exchange of information security knowledge through ongoing engagements with security-focused groups, such as Educause, the New York State Cyber-Security Critical Infrastructure Coordination group, InfraGard, and others.
  • RIT periodically evaluates the effectiveness of information security controls in technology and process through risk assessments.

 

To whom does the policy apply?

The policy applies to the entire RIT community, including RIT employees, student employees, volunteers, and external business associates. Standards articulate how you follow the policy. Each standard has a different scope and may apply to different parts of or activities engaged in by the RIT population.

What do I have to do?

You need to follow all Information Security Policy requirements as articulated in the standards. See our Policies and Standards page for a current list of standards.

Where do I go for more information?

Read the policy and its associated standards. Contact the RIT Information Security at infosec@rit.edu if you have more questions.

 

Mobile Devices

Mobile Devices

Mobile devices are not always designed with security in mind and, as a result, are not as secure as most computers.

There are a number of ways in which information on a mobile device may be breached: theft of the device, attacks on your service provider, wireless hijacking or "sniffing", and unauthorized access. Because mobile devices may be more easily stolen or compromised, users of these devices must take precautions when using them to store or access Private or Confidential information. 

Private Information and Mobile Device Use

We recommend that Private Information NOT be accessed from or stored on mobile devices. If Private Information must be accessed from or stored on a mobile device, then the information on the mobile device must be encrypted. Password protection alone is NOT sufficient.

To ensure that RIT information will remain secure, you should use only devices that provide encryption while information is in transit and at rest. 

Security requirements for handling RIT Private, Confidential, and other information may be found in the Information Access and Protection Standard.

General Guidelines for Mobile Device Use at RIT

Understand your device

  1. Configure mobile devices securely. Depending on the specific device, you may be able to:
    1. Enable auto-lock. (This may correspond to your screen timeout setting).
    2. Enable password protection.
      1. Use a reasonably complex password where possible.
      2. Avoid using auto-complete features that remember user names or passwords.You may want to use a password safe application where available.
    3. Ensure that browser security settings are configured appropriately.
    4. Enable remote wipe options (third party applications may also provide the ability to remotely wipe the device; if you're connecting to mymail.rit.edu with ActiveSync for email and calendaring, you may wipe all data and applications from your device remotely from mymail.rit.edu).
  2. Disable Bluetooth (if not needed). This will help prolong battery life and provide better security.
  3. Ensure that sensitive websites use https in your browser url on both your computer and mobile device.
  4. Know your mobile vendor's policies on lost or stolen devices. Know the steps you need to take if you lose your device. Report the loss to your carrier ASAP so they can deactivate the device.

Use added features

  1. Keep your mobile device and applications on the device up to date. Use automatic update options if available.
  2. Install an anti-virus/security program (if available) and configure automatic updates if possible. Like computers, mobile devices have operating systems with weaknesses that attackers may exploit.
  3. Use an encryption solution to keep portable data secure in transit and at rest. WPA2 is encrypted. 3G encryption has been cracked. Use an SSL (https) connection where available.

General tips                

  1. Never leave your mobile device unattended.
  2. Report lost or stolen devices and change any passwords (such as RIT WPA2) immediately.
  3. Include contact information with the device:
    1. On the lock screen (if possible). For example, "If found, please call RIT Public Safety at 585-475-2853."Engraved on the device. Inserted into the case.
  4. For improved performance and security, register your device and connect to the RIT WPA2 network where available.

Mobile Device Disposal

Use appropriate sanitation and disposal procedures for mobile devices.  Some suggestions can be found from:

 

Encryption at RIT

Encryption at RIT

Several RIT Security Standards refer to ISO-approved encryption. ISO-approved encryption is divided into two categories: Preferred and Acceptable. Preferred encryption methods were chosen based on standard industry usage and their ability to support RIT business processes. RIT's current product is McAfee FDE.

Preferred Encryption

Purpose

Encryption Algorithms

RIT Security Standard

Comments

Network Connections (including web browsers)

TLS 1.x 

Web, Network

SSL is no longer secure. 

Laptop/Desktop Encryption

AES 256-bit is recommended, although AES 128-bit or higher is adequate. 3DES has also been approved.

Desktop and Portable Computer

Centrally-managed whole disk encryption is required to meet the 2009 Desktop and Portable Computer standard.

Server

AES is recommended at 256-bit. 

Server

RC4 is no longer supported.

Portable Media

AES 128-bit and above, 256-bit is recommended. 3DES and Twofish are adequate.

Portable Media

Truecrypt is no longer considered secure.

Public/Private Key Encryption and Signing

PGP 2048-bit or greater and RSA 1024-bit or greater.

   

Cryptographic Hashes/Checksums

SHA-2 and the Tiger hash are all adequate for hash comparison.

 

SHA-1 and RIPEMD 128 & 160 are considered strong algorithms, but there is reason to suspect that they may be susceptible to frequency collisions (hash duplications) and their use is not recommended in situations where collision resistance is required. In such cases, SHA-2 is recommended.

Acceptable Encryption

Use of non-preferred encryption methods is discouraged. However, we recognize that there may be times when business or other requirements may be better served with an alternative algorithm. In those cases, developers should reference the Educause Encryption Strength Support Matrix. (This matrix and accompanying explanatory text was developed by Jim Moore, RIT Information Security Office.) Algorithms with a strength rating of High are acceptable for use at RIT. Use of algorithms with a strength rating of Low or Medium are not permitted.

Encryption Strength

Encryption strength is a relative concept. Both the algorithm used and the length of the key used to encrypt data determines the strength of encryption. Encryption services also perform various cryptographic functions beyond data encryption.

Key Management Requirements

Security of the key management process for encryption keys is especially important. Security of encrypted content (ciphertext) may be compared to a physical lock and key. The algorithm provides the lock. The encryption key unlocks the ciphertext. If the key is weak or compromised, the encryption can be broken. Key revocation provides a means to disallow or change a compromised key and "re-key" the lock.

Many encryption algorithms have the potential to lock access to data permanently if the key is lost. Key escrow provides a "copy" of the key to enable access to the data.

Centralized encryption/key management ensures that data will remain both encrypted and accessible. Non centralized or individual encryption without key escrow may disallow access to the encrypted RIT information if the key is lost. Use of non-centralized or individual encryption of RIT information assets would be allowed only through a granted exception and would require an ISO-reviewed key escrow and revocation process.

Updated 12/5/2014

Standards Process

Policy Creation and Approval

Institute policies are created and approved through a shared governance process. A further description of this process can be found on the Academic Senate, Staff Council and Student Government websites. 

Standards Creation and Approval

In 2005, the RIT shared governance organizations approved the Information Security Policy which vested the Information Security Office with the role of leading the RIT community in the creation, approval and implementation of Information Security Standards.

  • Core Teams composed of subject matter experts meet to create draft standards that are supportable and comprehensive.
  • The Information Security Council reviews and approves proposed standards. The Information Security Council is composed of representatives from across the University. The Information Security Council representatives also serve as coordinators in their departments to facilitate the implementation of standards

Standards Process Overview

     

Pages

Subscribe to RSS - Standard